Banks dragging feet on reporting breaches: ASIC
Banks are taking an average of more than four years to detect and report breaches, ASIC has told the bank inquiry.
The big four banks and other large financial institutions are taking an average of more than four years to detect and report breaches of their licenses, the corporate regulator has told the banking royal commission.
In a witness statement tendered to the commission, Australian Securities and Investments Commission deputy chairman Peter Kell slammed the big industry players, saying they “too often take overly technical legal points, or fail to make timely breach reports, or fail to constructively respond to notices for the production of documents”.
He called for ASIC to be given tough new powers to clean up the industry, including the ability to tell financial services licensees not to accept new clients.
Since June 2016, ASIC has been conducting a “breach reporting surveillance project” across 12 institutions — including the big four banks — which is due to be finished in July, Mr Kell said.
Among the projects “key preliminary findings” are that the average time taken from a breach occurring to the institution identifying it as needing investigation was 1,552 days — or just over four years.
On average it took an additional 123 days — or about four months — to lodge a breach report with ASIC.
The law requires financial services licensees to lodge reports with ASIC within 10 days of becoming aware of a serious breach.
While it took institutions an average of just 18 days to fix their systems once a problem was identified, remediation for customers was much slower, taking an average of 217 days before the first payment was made to a customer.
“ASIC considers that these preliminary findings tend to confirm its concerns about the timeliness and consistency of breach reporting,” Mr Kell said.
He took aim at the culture of the industry, which has already emerged as a key focus of the royal commission.
“From time to time, for instance, ASIC considers that the focus of the large financial services entities is too narrowly and pedantically on technical legal compliance, which results in an emphasis on technical, legal arguments about whether particular conduct or practices are ‘lawful’, rather than, whether they are producing good outcomes for their customers or are, in a broader sense, fair or consistent with the underlying policy or intent of the law,” he said.
“Such an attitude can play out in many different ways, including in negative impacts of conflicts of interest going unchecked, delays or failures, legalistic approaches to remediation and failures to proactively address known industry problems.”